在 docker 中使用 HAProxy 与主机网络
[英]Using HAProxy in docker with host network
问题描述
When running HAProxy in a docker container, we can only see (and forward) the original client's IP when running the container with the --net=host option as described here .
在 docker 容器中运行 HAProxy 时,在使用--net=host选项运行容器时,我们只能看到(并转发)原始客户端的 IP,如此处所述。
Our question: Is this advisable from a security standpoint?我们的问题:从安全的角度来看,这样做是否可取? Will this allow attackers more easily to exploit HAProxy vulnerabilities?这会让攻击者更容易利用 HAProxy 漏洞吗? Or is it common practice?还是这是普遍做法?
2 个解决方案
解决方案1
0 2020-05-06 23:08:14
Well --net=host is a common practice to expose a container to the public interface.那么--net=host是一种将容器暴露给公共接口的常见做法。 If you don't set --net=host will the haproxy not be reachable outside of the docker network.如果您不设置--net=host将无法在 docker 网络之外访问 haproxy。
解决方案2
0 已采纳 2020-11-04 13:29:49
If you are running docker swarm then you will get an IP from swarm ingress network in your X-Forwarded-For header.如果您正在运行 docker 群,那么您将从 X-Forwarded-For header 中的群入口网络获得 IP。
You can work around this by using --network=host but then you cannot connect the container to other overlay networks which might cause issues in your setup.您可以使用--network=host解决此问题,但是您无法将容器连接到其他覆盖网络,这可能会导致您的设置出现问题。 For example if you want to connect HAProxy to other containers.例如,如果您想将 HAProxy 连接到其他容器。
Fortunately you can use --publish mode=host,... instead of the default --publish mode=ingress to directly bind to the external ip.幸运的是,您可以使用--publish mode=host,...而不是默认的--publish mode=ingress直接绑定到外部 ip。
Then HAProxy will see the real client ip.然后HAProxy会看到真正的客户端ip。 Also see https://github.com/docker-archive/dockercloud-haproxy/issues/134#issuecomment-288485710另请参阅https://github.com/docker-archive/dockercloud-haproxy/issues/134#issuecomment-288485710
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.